From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andy Green <andy@warmcat.com>
Subject: [PATCH v6 02/16] net/nfp: solve buffer overflow
Date: Mon, 14 May 2018 13:00:01 +0800
Message-ID: <152627400193.52758.17048125095225539102.stgit@localhost.localdomain>
References: <152627394448.52758.15834703911138407294.stgit@localhost.localdomain>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
To: dev@dpdk.org
Return-path: <dev-bounces@dpdk.org>
Received: from mail.warmcat.com (mail.warmcat.com [163.172.24.82])
 by dpdk.org (Postfix) with ESMTP id A0E071C630
 for <dev@dpdk.org>; Mon, 14 May 2018 07:00:13 +0200 (CEST)
In-Reply-To: <152627394448.52758.15834703911138407294.stgit@localhost.localdomain>
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c: In
function ‘nfp_pf_pci_probe’:
/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3160:
23: error: ‘%s’ directive writing up to 99 bytes into a
region of size 76 [-Werror=format-overflow=]
  sprintf(fw_name, "%s/%s.nffw", DEFAULT_FW_PATH, serial);

Note fw_buf still has to increase somewhat even after
restricting serial[], since otherwise:

/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c: In
function ‘nfp_pf_pci_probe’:
/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3176:23:
error: ‘%s’ directive writing up to 99 bytes into a region
of size 76 [-Werror=format-overflow=]
  sprintf(fw_name, "%s/%s", DEFAULT_FW_PATH, card);
                       ^~
/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3262:32:
  err = nfp_fw_upload(dev, nsp, card_desc);
                                ~~~~~~~~~
/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3176:2:
note: ‘sprintf’ output between 25 and 124 bytes into a
destination of size 100
  sprintf(fw_name, "%s/%s", DEFAULT_FW_PATH, card);

Signed-off-by: Andy Green <andy@warmcat.com>
Fixes: 896c265ef954 ("net/nfp: use new CPP interface")
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
---
 drivers/net/nfp/nfp_net.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/nfp/nfp_net.c b/drivers/net/nfp/nfp_net.c
index 048324ec9..78113b41b 100644
--- a/drivers/net/nfp/nfp_net.c
+++ b/drivers/net/nfp/nfp_net.c
@@ -3144,8 +3144,8 @@ nfp_fw_upload(struct rte_pci_device *dev, struct nfp_nsp *nsp, char *card)
 	struct nfp_cpp *cpp = nsp->cpp;
 	int fw_f;
 	char *fw_buf;
-	char fw_name[100];
-	char serial[100];
+	char fw_name[125];
+	char serial[40];
 	struct stat file_stat;
 	off_t fsize, bytes;